Cooking with Linux - Security for Your Database. It's Totally Mondo!

Security means different things to different people. On your Linux system, security isn't only about keeping people out, it's also about knowing you can restore the e-mail folder you deleted accidentally.

Why can't I log in to our main server, François? You were trying
to improve the security? Without discussing it with me? Yes, yes, of
course, I appreciate the spirit of your intentions, but now there's no
way to access the system remotely at all. In fact, I can't even log in
on the main console. You changed the passwords? And encrypted the
filesystems? Mon Dieu, François, that is certainly a
little over the
top. Well, just tell me the new password, and I'll put things back to the
way they were. What do you mean, you can't? You've forgotten the
passphrase
you used when you encrypted the filesystems?

Luckily for you, mon ami, our guests are already
here, and we
have backups. Head to the wine cellar and bring back the 2001 Mas la
Plana Cabernet from Spain. And, while you are down there, don't lock any
doors or change any combinations.

Welcome, mes amis, to Chez
Marcel, where exceptional vintages are
paired with exceptional Linux and open-source software. Please, take your
seats and make yourselves comfortable. My faithful waiter is in the
cellar
fetching the wine. Before you arrived, François demonstrated admirably
why it is important to have a reliable backup system. Backups can
be simple collections of files burned to a CD, a tarred bundle stored
on a remote system or a copy of your data on a separate drive. There
are, in fact, thousands of ways to create a backup, and for many of us,
it usually involves backing up only those files that are near and dear
to our hearts. In a multiuser environment or on a large, busy system,
picking up files here and there may not be enough. You need everything.

Ah, François, you have returned. Please, pour for our guests. Enjoy,
mes amis, this is a wonderful wine with some some
great, dark
fruit complexity and just a hint of chocolate.

As excellent as the wine might be (and it is), the real star of
tonight's menu is a powerful backup and system recovery program called
Mondo Rescue. The spirit of Mondo Rescue
resides in a scenario
no one wants to envision, a catastrophic system failure. I'm not
talking about losing your e-mail folder (although I would consider this
a catastrophe as well). Mondo Rescue is concerned with
“the hard disk
is gone, the machine has exploded, and we need to start from
scratch”
kind of catastrophe. Or, as in François' case, security enhancements gone
terribly wrong. Mondo Rescue works with a variety of backup media, and it
can create bootable backups that let you restore a mirror image of your
system prior to the disaster.

To get started, visit the Mondo Rescue Web site
to pick up your copy of the software (see Resources). You'll
need a few things to get started, because there isn't a single,
all-inclusive
Mondo Rescue package. Don't worry; it's a short list, and Mondo Rescue
provides packages for an impressive number of distributions and release
levels. The packages you need are afio, buffer,
mindi, mindi-busybox, syslinux and the main
package, the aptly named mondo. As I felt it necessary to use
the word “aptly”, this is where Debian and Ubuntu users can
claim
bragging rights, because they can install everything they need by typing
apt-get install mondo.

Mondo Rescue has, of course, two sides: preparation for
disaster and recovery from that disaster. The backup program is called
mondoarchive, and the restore program is called
mondorestore. Let's start with
the backup program.

The mondoarchive program runs in interactive mode by default,
with a stylish (by ncurses standards) and easy-to-use interface. You
navigate the interface by using your keyboard and pressing the Tab key to
go from one menu option to another. Start mondoarchive
from a shell prompt. You also need to be running as root, so something
like sudo mondoarchive or su -c
'mondoarchive'
should work well.

The Welcome screen (Figure 1) also is the selection screen for your
backup medium. You can choose from CD-R or DVD-R disks, tapes, an
NFS-mounted directory, a location somewhere else on disk and more. Given
the nature of a catastrophic disaster, somewhere on your local disk
may not appear to be the best choice, but you also can use Mondo Rescue
to generate bootable-CD or DVD ISO images from which you can boot and
restore your system. Because many home users have access to a CD or
DVD writer to which they can burn these images, but not necessarily a
tape drive, let's use that as our example.

Figure 1. Ready to back up? Select your medium of choice.

By the way, this isn't the same as backing up directly to a CD- or DVD-recordable drive. If you choose that option, you are asked to insert
blank disks at various points in the process.

Tab to the Hard disk option, and press Enter. You'll be asked
for the pathname to the disk location you want to use for your backup
(Mondo Rescue will provide a suggestion). If you chose a tape-drive
backup,
Mondo Rescue would try to guess the location of your tape
drive—normally
successfully.

The next screen (Figure 2) is worth thinking about,
because it seriously affects the performance of your backup. This is the
compression screen. To minimize the space in which backups are stored,
the mondoarchive program can compress files on the fly. You can elect
to skip compression or select minimum, average or maximum
compression. The higher the compression, the more impact on speed and
performance.

Those of you following along with my example will be writing bootable-ISO image backups to disk, but what kind of images? CD-Rs can store
650MB–700MB of data (depending on the type you bought), and
DVDs can store roughly 4GB. Enter the information in megabytes,
press Tab to select OK, and then move on to the next screen. The ISO
images
are called mondorescue-1.iso, mondorescue-2.iso and
so on. You now have the opportunity to override that naming convention
by selecting a different name. If you're happy with the default, press
Enter to continue.

Next, is the Backup Paths screen. By default, everything is
backed up from the root (/), on down. Most people will be happy
with this and can safely move on to the next screen. Incidentally,
should you happen to have a system with NTFS partitions (such as on
dual-boot systems with Windows), Mondo Rescue offers to back up those
as well and informs you of their presence. You can accept these
or remove them from the list of backed-up partitions.

Having mentioned that it makes sense to back up the whole system, I
recognize you probably really don't want everything. On my system, I
often
have entire filesystems where I download ISOs of Linux distributions so
I can experiment with them on virtual machines. I don't want to back
these up. I also have folders filled with what can be described
only as ephemeral junk—things that seemed like a good
idea at the time, but that I haven't gotten around to cleaning up,
and certainly don't want to back up. Simply list all the
folders you want to exclude from backup, separated by spaces.

Figure 3. You can trim your backups by excluding certain folders
or filesystems.

At this point, you are almost ready to roll. The mondoarchive program
asks whether you want to verify your backup, and then it follows up
with a very strange question: “Are you confident that your kernel
is a sane, sensible, standard Linux kernel? Say 'no' if you are using
Gentoo < 1.4 or Debian < 3.0, please.” Mondo Rescue wants to
make sure
the kernel it uses to boot the CD (or DVD) has the smarts to boot
properly. If you have any doubts, or you like to spin your own kernels,
say no, and Mondo Rescue will use its own. Once you have made a choice,
the mondoarchive program alerts you that it is ready to start. This is
your last chance to change your mind.

The backup begins, also in ncurses graphical mode, starting with the
creation of a catalog of filenames to back up (Figure 4).

Figure 4. Mondo Rescue creates a catalog of files when starting the
backup.

What follows next is interesting only the first few times—mostly
because you probably have better things to do with your time. The
screen shows a report of the backup broken up into file sets,
the creation of boot diskettes and so on. At this point, Mondo Rescue
is ready to back up your data and displays a nice progress bar,
telling you which ISO is being written, how much of it is done and how
long you can expect the whole process to take (Figure 5).

Figure 5. The backup is underway, with an on-screen progress report.

Speaking of better things to do with our time, this is probably
a good time for a wine refill. François, please make sure our
guests' glasses are topped up.

This is all well and good, but sitting in front of a terminal
session running a backup isn't what most people want to do most of
the time. Consequently, all of this can be done from the command line,
which is exactly what you want if you are going to run the program from
a cron job. For example, take a look at the following command:

mondoarchive -Oid /mnt/bigdrive -l GRUB -F -V -3 -N

That command says to create a mondoarchive backup (-O), to
create ISO images (-i), to use a location on disk (-d),
that the bootloader is GRUB (-l), to skip the creation of
boot diskettes (-F), to verify the backup (-V), to use
moderate compression (-3) and to ignore NFS-mounted partitions
(-N). I'm going to concentrate on the interactive mode of
the backup here, but I invite you to examine the various options by
typing
man mondoarchive at a command prompt.

Eventually, you will have a complete backup and, in this case, one
or more ISO images that you can burn to a CD or DVD. The first
disk in the set is the one from which you'll want to boot. In a few
seconds,
you'll see a menu like the one shown in Figure 6 (currently running in a
QEMU
virtual machine).

Figure 6. The Mondo Rescue Boot Menu

You have several options when it comes to restoring your system
(nuke, interactive and expert), including not
restoring your system
(compare). If you choose the nuke option, your system is restored
as it was, and any filesystems currently on your computer are destroyed
and re-created from the backup. Use this option with extreme care. You
also might want to restore one or more files and folders. For this, use
interactive mode. Finally, expert mode drops
you to a command prompt. You also can simply wait a few seconds, and the
restore disk boots normally and then takes you to a graphical (ncurses)
interface for the mondorestore program (Figure 7).

Figure 7. The Top-Level Menu for the mondorestore Program

Your four choices, although worded differently, are the same as those
you saw earlier at boot time. If you choose Interactively, you'll be
prompted for the source of your backups. Before we go any further, it's
worth noting that the idea behind Mondo Rescue is to provide a means of
disaster recovery when everything is gone, which is why backups are
created
to be bootable (tapes, CDs and so forth). This is fantastic if major
disaster
strikes, but what if it's a minor disaster, such as accidentally deleting
your boss' e-mail folder? You certainly don't want to take down a running
production system, even if the only important information in his e-mail
folder are stats from a football pool. Luckily, you can restore
a file or folder to a live system, interactively. This is how you do it.

It may take a few seconds for the program to extract the file catalog,
but soon you'll be presented with a list of files and folders starting
from the root directory. Using the arrow keys, you can navigate up and
down
through the list. Along the bottom of this screen are text buttons
labeled Less, More, Toggle, RegEx, Cancel and OK (Figure 8). To
expand a folder or directory, cursor to the right, go to the More button,
and press Enter. To select a file or folder for restoring, cursor right
again to the Toggle button, and press Enter. An asterisk appears to
the left of the filename you've selected. Press Enter again to deselect
it. To continue searching through the file list, cursor left past the
Less
button, and you can scroll up and down through the list again.

Figure 8. Choosing
the Files or Folders to Restore

Before you ask, the reason I didn't mention the RegEx button is that
this is still a feature under development, and it really doesn't do
anything
at this time.

Once you have selected everything you want to restore, cursor over
to the OK button, and press Enter. An alert pops up asking
whether you are happy with your selection. Press Yes to continue with the
restore. On the next screen, select a restore path. If
you want to restore in place (and overwrite any current files), accept
the default, which is the root directory. Often, you'll want to restore a
file into an alternate location and move it back when you are satisfied
with its content. If that is the case, enter an alternate path, and press
Enter. The next screen (Figure 9), boasts “Restoring from
archives”
and provides a nice report of the restore process.

Figure 9. Hurrah! The
lost files are being restored.

The dialog displays the tarball in which it is currently searching,
on which disc, a percentage of completion and an estimated time remaining
before all your files are restored. That's it. Your all-important files
(and, they are all important when lost) have been
restored.

Once again, mes amis, the clock indicates that it is
indeed
closing time. I trust you are feeling satisfied and relaxed from the
wine. While François refills your glasses a final time, I should point
out that development on Mondo Rescue is ongoing, and there is a helpful
and enthusiastic user base, ready to help with any issues you might
encounter. Take a moment to visit the support page and join the mailing
list on the Mondo Rescue site, and you'll not only be more relaxed, you
also will sleep soundly knowing your data can be restored. Please raise your
glasses, mes amis, and let us all drink to one
another's health.
A vôtre santé Bon appétit!